HIPAA vs. SAMHSA 42 CFR Part 2 — Managing Disclosures of Substance Use Disorder Information

HEALTHCARE May 07, 2019 90 minutes
01:00 PM EST 12:00 PM CST 11:00 AM MST 10:00 AM PST

Description:-

This session focuses on the issues of managing disclosures of health information when it may involve substance use disorder treatment information.  HIPAA allows a number of disclosures without consent that SAMHSA prohibits without a specific consent.  We will explain how HIPAA and 42 CFR Part 2 are similar and how they’re different, and what are the additional considerations when substance use disorder information is involved. We will discuss the latest guidance from HHS and SAMHSA about harmonization of HIPAA and 42 CFR Part 2, as well as recent changes to Part 2 and new legislation affecting the sharing of information for treatment when substance use disorder information is involved.

Attendees will learn how the rules on Substance Use Disorder information can affect records storage and release processes, and how the HIPAA and SAMHSA rules are different and similar.  There are some significant differences between the HIPAA and 42 CFR Part 2 rules that need to be understood, especially when it comes to involving family and friends in an individual’s treatment, which HIPAA allows, but Part 2 does not.  

When substance use disorder treatment information is involved, first you need to understand how to identify it.  We will discuss how to make it distinguishable from “regular” health information, so that the appropriate extra protections can be provided.  You may be able to use functions in your EHR to flag the information, or you may create a manual process for tracking the information, if it is rarely handled in your organization.  And the substance use disorder treatment information you collect may or may not be under SAMHSA depending on whether or not you have a department or even a response team that specializes in SAMHSA-related situations.  You need to understand your status under the rules before you release information inappropriately.  We will discuss what qualifies treatment that falls under SAMHSA.

If your organization provides services that create information that is under the SAMHSA regulations, you will need to establish the consent and release of information processes that are required to be followed for information releases under 42 CFR Part 2.  This involves getting the proper consents upon establishment of the relationship, as well as managing consents for releases that may be necessary after the initial establishment of the relationship.  The session will include an explanation of the consent and release requirements that must be followed.

When you release information under HIPAA, there are no special notices required to be placed on the records.  But when you release information under SAMHSA, each document must have a notice that explains that re-disclosure is not permitted without a new consent.  Complicating matters are updated rules going into effect that will allow a consent that permits a re-release to a defined team of providers caring for the individual, but then require meticulous documentation of to whom the information has been released under such a consent.  The session will go over the rules on consents and re-release of information.

Meanwhile there have been some significant changes to the Part 2 rules that make some sharing of information for treatment purposes easier, and new legislation to deal with substance use disorders is being adopted.  Recent significant changes to the rules and expected changes under new law will be presented and explained.

We will discuss these key issues, and the future of Part 2 information handling, in this important session.

Areas Covered in the Session:-

  • What HIPAA allows, what SAMHSA requires, and the differences will be explained.
  • We will examine how to determine if the services you provide place you under 42 CFR Part 2.
  • We will explore the means for making sure substance abuse treatment information receives the appropriate protections.
  • The consent and release requirements under 42 CFR Part 2 will be explained.
  • Re-release of information released under 42 CFR Part 2 will be discussed.
  • Sharing of information with family and friends in an overdose incident will be explored.
  • The latest guidance from the US Department of Health and Human Services as well as recent and new laws on harmonization of SAMHSA and HIPAA will be explained.

Background:-

With the current epidemic of opioid abuse, there has been a great deal of publicity around the release of information and the necessity to share information with family and friends to facilitate recovery.  The rules remain in place as-is, but are expected to change in the future.  HHS has issued guidance on how to deal with the regulations in the face of the crisis, but the inconsistencies and difficulties remain.  In this session we will review the guidance and learn how it helps explain some of the rules.

Why Should You Attend?

For much of healthcare, HIPAA sets the standards for how to manage uses and disclosures of patient information, known as Protected Health Information (PHI).  But when it comes to information related to the treatment of substance use disorders, regulations of the Substance Abuse and Mental Health Services Administration (SAMHSA) under 42 CFR Part 2 prevail.  These rules apply to information collected under SAMHSA, which may be difficult to separate from "regular" PHI in your records, and there are special rules for disclosure and re-disclosure of substance abuse treatment information.    

Today we are in the midst of an epidemic of substance use disorders, and particularly opioid abuse, and more and more providers are involved in providing treatment to people with substance use disorders.  When substance use disorders are involved, the rules of SAMHSA under 42 CFR Part 2 come into play.  But who is covered under the rules, what’s involved in meeting them, and how do they interact with HIPAA?  HIPAA allows a number of disclosures, for treatment, payment, and healthcare operations purposes, without consent from the individual being treated.  SAMHSA rules, on the other hand, require consent for every disclosure or re-disclosure, and if the proper consents aren’t obtained, the provider can be in violation of the rules and subject to penalties.

Not every provider that treats a person with substance abuse issues automatically falls under the SAMHSA rules, and not all mental health information is necessarily substance abuse information.  How do you know whether or not your services put you under the SAMHSA regulations?  If you are under 42 CFR Part 2, how do you identify and keep separate the substance abuse information?

When a provider receives health information about an individual, under HIPAA the provider may re-disclose the information as needed for treatment, payment, and healthcare operations purposes.  Information may be received, however, that has a special notice on it about re-disclosure, requiring consent from the individual before re-disclosure.  Even though you may not operate under SAMHSA rules, you have obligations to respect the SAMHSA consent requirements.  How can you make sure information is only shared appropriately and is not released contrary to the rules?

Who will Benefit?

Compliance Manager, HIPAA Privacy Officer, HIPAA Security Officer, CEO, Office Manager, HR Director, Privacy Officer, CIO, Records Release Manager, HIM Manager, Counsel

Presenter BIO
Jim Sheldon-Dean

is the founder and director of compliance services at Lewis Creek Systems, LLC, a Vermont-based consulting firm founded in 1982, providing information privacy and security regulatory compliance services to a wide variety of healthcare entities. He is a frequent speaker regarding HIPAA, including speaking engagements at numerous regional and national healthcare association conferences and conventions and the annual NIST/OCR HIPAA Security Conference. Sheldon-Dean has more than 18 years of experience specializing in HIPAA compliance, more than 36 years of experience in policy analysis and implementation, business process analysis, information systems and software development, and eight years of experience doing hands-on medical work as a Vermont certified volunteer emergency medical technician. Sheldon-Dean received his B.S. degree, summa cum laude, from the University of Vermont and his master’s degree from the Massachusetts Institute of Technology

Refer Friend Sponsor This Webinar
© 2024 Copyright Online Audio Training. All Rights Reserved